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These tutorials are a simplified 
introduction, and are not sufficient on 


Good Fences their own to achieve system safety. 
Make Good N elg h bo rs. You are responsible for the safety of 


your system. 
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Critical System Isolation 


= Anti-Patterns for Isolation: 
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7" NON-CRITICAL CRITICAL 
e Low-SIL software can access critical data TASK TASK 
(Low SIL) (High SIL) 


e Low-SIL software can block critical tasks 


= Need isolation between different SILs 


e Lower SIL assumed to compromise High SIL 
— Higher SIL > “trusted” (critical tasks) 


— Lower SIL “untrusted” (non-critical tasks) 
» Corrupts high-SIL data values, timing, configuration 


e Hardware isolation is best option 
— Different SILs separated on different chips 


— Different networks for safety vs. non-safety data 
» Network data exchange is safety critical 







Critical Network 


Safety Critical 
Firewall 


Critical Microcontroller 







Low-SIL Network 


Low-SIL Microcontroller 
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Mixed-SIL Interference Examples 
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= Memory value interference 


e Non-critical task modifies critical variables CRITICAL 


e Non-critical ISR causes critical task stack overflow TASK 


e Non-critical task memory leak; heap exhaustion (High SIL) 


=m CPUtime interference 
e Non-critical task runs at high priority; starves critical tasks 
e Non-critical task disables interrupts; delaying critical tasks 
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a ry 
= Watchdog timer NON- “ 
e Non-critical task kicks watchdog regularly “, 4 onfig. 
e Non-critical task disables watchdog CRITICAL a oe , 
ger” ata 
m System configuration TASK *:.. : 


e Non-critical task changes digital output to input (Low SIL) 


m Network 
e Non-critical node sends unsafe critical message 


etwork 
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Mitigating Cross-SIL Interference ue 


Develop all software at highest SIL 

e Avoids isolation, but increases expense 
Hardware solution — separate CPU chips 
e Multi-core provides only partial isolation 


















CPU CORE #2 
and 
L1 Caches 






CPU CORE #1 
and 
L1 Caches 






















: L2 Cache 
High-SIL RTOS approaches INTERFERENCE? 
: Bus Interface 
e Hardware memory protection (MMU) tla ins 
e Hardware CPU time isolation (e.g., multi-core) INTERFERENCE? 


e Virtualization of I/O and configuration 

Other techniques can help for Low-SIL 

e Variable mirroring (two one’s complement copies) 
e Critical tasks run at high priorities or in ISRs 

e Non-modifiable watchdog timer configuration 


Self-test is insufficient for High-SIL integrity 
e Fault in high SIL hardware can subvert self-test Single CPU at SIL 3 or SIL 4 
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MEMORY & 1/0 





INTERFERENCE? 
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Lower-SIL task is ~ a malicious attacker 
e How can it disrupt higher-SIL software? 


e Consider: 
memory corruption, timing, configuration, network 


Implications for safety: 
e A weaker fault model means making assumptions 
e Lower-SIL update means revisiting assumptions 
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Implications for security: rtp ngu.com/rot 


e Higher-SIL functions more resistant to attack if isolated 
e Bad pattern: everything on one CPU with desktop OS 
e Better pattern: isolated CPUs with high-SIL critical RTOS 
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m Use as much hardware isolation as you can 
e Consider: 
— Data value isolation 
— CPU time isolation 
— Configuration corruption 
— Shared resource isolation 
e Applies to any different SILs 
— Crucial for non-SIL © SIL 3/4 ee re 
= Pitfalls: wi ssconie 


e Multi-core CPU isn’t enough on its own (other shared resources!) 
e IEC 60730: Arguing that low-SIL software won't interfere... 
... requires re-arguing after every low-SIL change 
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BUT IF YOU'RE WORRIED ABOUT 
BOMBS, WHY ARE YOU LETTING 
ME KEEP My LAPTOP BATTERIES? 
IF I OVERVOLTED THEM AND 
BREACHED THE CEUS, IT WOULD 
MAKE A SIZEABLE EXPLOSION. 
OH GOD, | 
IT'S OKAY DEAK. IN AMOMENT 
HELL REALIZE I. HAVE A GOOD 


POINT AND RETURN MY WATER. 





https://m.xked.com/651/ 
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